beszel icon indicating copy to clipboard operation
beszel copied to clipboard
verified publisher icon henrygd

False positive? 0.12.1 Windows agent detected as Trojan:Script/Wacatac.C!ml by Windows Defender

Open luckman212 opened this issue 7 months ago • 6 comments

Component

Agent

Description

Trying to update a Windows 11 agent to 0.12.1 is failing because Defender is quarantining beszel-agent_windows_amd64.zip during Scoop update

Image Image

OS / Architecture

Windows 11

Beszel version

0.12.1

Installation method

Binary

luckman212 avatar Jul 26 '25 01:07 luckman212

It's a false positive. Unfortunately this is a common problem for Go programs on Windows: https://go.dev/doc/faq#virus

I'll submit it to Microsoft for malware analysis. We could probably avoid this with signing, but I don't want to pay money to do that.

Here are all the changes from 0.12.0 to 0.12.1: https://github.com/henrygd/beszel/compare/v0.12.0...v0.12.1

henrygd avatar Jul 26 '25 01:07 henrygd

Yes I added it to exclusions and then the update succeeded. Sorry to bother.

How much is the cost for the authenticode signature or whatever is needed? I bet as popular as Beszel is you could ask Windows users to donate a few bucks per year to cover the cost for that.

luckman212 avatar Jul 26 '25 02:07 luckman212

No bother at all.

I think it's around a few hundred bucks a year. There may be cheaper options or FOSS programs. I'll look further into it over the weekend.

henrygd avatar Jul 26 '25 02:07 henrygd

Even when signing the binaries with a EV Code Signing Cert, this will only give you a higher base reputation for Smart Screen, but it doesn't instantly eliminate this issue. It could be that you will still have to submit the binary for analysis to Microsoft.

Sidenote:
In case of using the distribution through winget this usually shouldn't be a problem as the binaries run through Defender / Security checks when being added to the winget community repository. This is retried every few hours until they pass defender validation (which usually takes between a few hours up to a few days). Once the binaries are available through winget, they shouldn't trigger a defender warning anymore (this then also applies to scoop).

a-mnich avatar Jul 26 '25 08:07 a-mnich

Hi, I just had the same issue this morning, updated my agents via WinGet and Scoop (different machines) to latest version and Defender really didn't like it, seems to be a Ring0 issue with communication for telemetry. I am trying to whitelist it but Defender keeps shutting it down every few minutes. May have to roll back to version 11. Update - I manually recompiled the latest 12.3 version so as to not use winget and distributed the Agents to my machines (Server 2022 and 2025 and Win 10 Pro), this worked fine, but likely because I closed the investigations in Defender and Allowed the sys file from version 12.2 on the Endpoints. One server is still blocking the telemetry but that's fine, might be the server not Beszel... Thanks again for your work on this, it is a very good tool!

MapleSoda avatar Aug 05 '25 13:08 MapleSoda

@MapleSoda No problem, thanks for the update. Glad you got it working.

@a-mnich I didn't know that about WinGet, thanks for pointing that out. Definitely a nice benefit.

henrygd avatar Aug 06 '25 00:08 henrygd